2016-02-17 18:40:55 +01:00
# MISP modules
2016-04-11 12:18:56 +02:00
[![Build Status ](https://travis-ci.org/MISP/misp-modules.svg?branch=master )](https://travis-ci.org/MISP/misp-modules)
2016-08-12 14:51:26 +02:00
[![Coverage Status ](https://coveralls.io/repos/github/MISP/misp-modules/badge.svg?branch=master )](https://coveralls.io/github/MISP/misp-modules?branch=master)
[![codecov ](https://codecov.io/gh/MISP/misp-modules/branch/master/graph/badge.svg )](https://codecov.io/gh/MISP/misp-modules)
2016-04-11 12:18:56 +02:00
2016-02-17 18:40:55 +01:00
MISP modules are autonomous modules that can be used for expansion and other services in [MISP ](https://github.com/MISP/MISP ).
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities
2016-06-23 12:51:13 +02:00
without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.
2016-02-17 18:40:55 +01:00
2016-03-21 23:10:48 +01:00
MISP modules support is included in MISP starting from version 2.4.28.
2016-02-17 18:40:55 +01:00
2017-01-07 10:45:22 +01:00
For more information: [Extending MISP with Python modules ](https://www.circl.lu/assets/files/misp-training/switch2016/2-misp-modules.pdf ) slides from MISP training.
2016-03-27 21:57:07 +02:00
2016-02-17 18:40:55 +01:00
## Existing MISP modules
2016-08-12 13:48:02 +02:00
### Expansion modules
2019-02-08 18:27:20 +01:00
* [Backscatter.io ](misp_modules/modules/expansion/backscatter_io ) - a hover and expansion module to expand an IP address with mass-scanning observations.
2019-01-21 13:31:52 +01:00
* [BGP Ranking ](misp_modules/modules/expansion/bgpranking.py ) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
2019-02-05 14:46:42 +01:00
* [BTC scam check ](misp_modules/modules/expansion/btc_scam_check.py ) - An expansion hover module to instantly check if a BTC address has been abused.
2018-11-07 14:38:50 +01:00
* [BTC transactions ](misp_modules/modules/expansion/btc_steroids.py ) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
2016-06-23 12:51:13 +02:00
* [CIRCL Passive DNS ](misp_modules/modules/expansion/circl_passivedns.py ) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
2018-01-16 11:05:26 +01:00
* [CIRCL Passive SSL ](misp_modules/modules/expansion/circl_passivessl.py ) - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
* [countrycode ](misp_modules/modules/expansion/countrycode.py ) - a hover module to tell you what country a URL belongs to.
2018-01-19 14:42:25 +01:00
* [CrowdStrike Falcon ](misp_modules/modules/expansion/crowdstrike_falcon.py ) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
2016-06-23 12:51:13 +02:00
* [CVE ](misp_modules/modules/expansion/cve.py ) - a hover module to give more information about a vulnerability (CVE).
2018-08-08 17:05:22 +02:00
* [DBL Spamhaus ](misp_modules/modules/expansion/dbl_spamhaus.py ) - a hover module to check Spamhaus DBL for a domain name.
2016-06-23 12:51:13 +02:00
* [DNS ](misp_modules/modules/expansion/dns.py ) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
2016-12-02 17:12:21 +01:00
* [DomainTools ](misp_modules/modules/expansion/domaintools.py ) - a hover and expansion module to get information from [DomainTools ](http://www.domaintools.com/ ) whois.
2016-06-23 12:51:13 +02:00
* [EUPI ](misp_modules/modules/expansion/eupi.py ) - a hover and expansion module to get information about an URL from the [Phishing Initiative project ](https://phishing-initiative.eu/?lang=en ).
2017-12-05 16:41:41 +01:00
* [Farsight DNSDB Passive DNS ](misp_modules/modules/expansion/farsight_passivedns.py ) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
2016-12-17 15:06:08 +01:00
* [GeoIP ](misp_modules/modules/expansion/geoip_country.py ) - a hover and expansion module to get GeoIP information from geolite/maxmind.
2018-05-30 06:56:42 +02:00
* [hashdd ](misp_modules/modules/expansion/hashdd.py ) - a hover module to check file hashes against [hashdd.com ](http://www.hashdd.com ) including NSLR dataset.
2018-12-13 10:19:23 +01:00
* [intel471 ](misp_modules/modules/expansion/intel471.py ) - an expansion module to get info from [Intel471 ](https://intel471.com ).
2016-06-23 12:51:13 +02:00
* [IPASN ](misp_modules/modules/expansion/ipasn.py ) - a hover and expansion to get the BGP ASN of an IP address.
2018-06-28 11:27:35 +02:00
* [iprep ](misp_modules/modules/expansion/iprep.py ) - an expansion module to get IP reputation from packetmail.net.
2018-09-19 20:51:23 +02:00
* [macaddress.io ](misp_modules/modules/expansion/macaddress_io.py ) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup ](https://macaddress.io ). See [integration tutorial here ](https://macaddress.io/integrations/MISP-module ).
2018-06-28 11:27:35 +02:00
* [onyphe ](misp_modules/modules/expansion/onyphe.py ) - a modules to process queries on Onyphe.
* [onyphe_full ](misp_modules/modules/expansion/onyphe_full.py ) - a modules to process full queries on Onyphe.
2018-01-16 11:05:26 +01:00
* [OTX ](misp_modules/modules/expansion/otx.py ) - an expansion module for [OTX ](https://otx.alienvault.com/ ).
2016-06-23 12:51:13 +02:00
* [passivetotal ](misp_modules/modules/expansion/passivetotal.py ) - a [passivetotal ](https://www.passivetotal.org/ ) module that queries a number of different PassiveTotal datasets.
2018-01-16 20:16:53 +01:00
* [rbl ](misp_modules/modules/expansion/rbl.py ) - a module to get RBL (Real-Time Blackhost List) values from an attribute.
2018-06-28 11:27:35 +02:00
* [reversedns ](misp_modules/modules/expansion/reversedns.py ) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
2018-07-18 22:19:52 +02:00
* [securitytrails ](misp_modules/modules/expansion/securitytrails.py ) - an expansion module for [securitytrails ](https://securitytrails.com/ ).
2017-03-08 17:37:28 +01:00
* [shodan ](misp_modules/modules/expansion/shodan.py ) - a minimal [shodan ](https://www.shodan.io/ ) expansion module.
2018-07-11 23:43:42 +02:00
* [Sigma queries ](misp_modules/modules/expansion/sigma_queries.py ) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
2018-06-28 11:27:35 +02:00
* [Sigma syntax validator ](misp_modules/modules/expansion/sigma_syntax_validator.py ) - Sigma syntax validator.
2016-06-24 02:15:25 +02:00
* [sourcecache ](misp_modules/modules/expansion/sourcecache.py ) - a module to cache a specific link from a MISP instance.
2018-07-02 11:38:33 +02:00
* [STIX2 pattern syntax validator ](misp_modules/modules/expansion/stix2_pattern_syntax_validator.py ) - a module to check a STIX2 pattern syntax.
2017-07-11 20:22:53 +02:00
* [ThreatCrowd ](misp_modules/modules/expansion/threatcrowd.py ) - an expansion module for [ThreatCrowd ](https://www.threatcrowd.org/ ).
2017-03-08 17:25:11 +01:00
* [threatminer ](misp_modules/modules/expansion/threatminer.py ) - an expansion module to expand from [ThreatMiner ](https://www.threatminer.org/ ).
2018-11-21 11:27:01 +01:00
* [urlscan ](misp_modules/modules/expansion/urlscan.py ) - an expansion module to query [urlscan.io ](https://urlscan.io ).
2016-08-17 10:46:13 +02:00
* [virustotal ](misp_modules/modules/expansion/virustotal.py ) - an expansion module to pull known resolutions and malware samples related with an IP/Domain from virusTotal (this modules require a VirusTotal private API key)
2018-06-28 11:27:35 +02:00
* [VMray ](misp_modules/modules/expansion/vmray_submit.py ) - a module to submit a sample to VMray.
* [VulnDB ](misp_modules/modules/expansion/vulndb.py ) - a module to query [VulnDB ](https://www.riskbasedsecurity.com/ ).
2018-11-21 11:27:01 +01:00
* [Vulners ](misp_modules/modules/expansion/vulners.py ) - an expansion module to expand information about CVEs using Vulners API.
2018-06-28 11:27:35 +02:00
* [whois ](misp_modules/modules/expansion ) - a module to query a local instance of [uwhois ](https://github.com/rafiot/uwhoisd ).
2017-03-08 17:37:28 +01:00
* [wikidata ](misp_modules/modules/expansion/wiki.py ) - a [wikidata ](https://www.wikidata.org ) expansion module.
* [xforce ](misp_modules/modules/expansion/xforceexchange.py ) - an IBM X-Force Exchange expansion module.
2018-10-31 10:35:10 +01:00
* [YARA query ](misp_modules/modules/expansion/yara_query.py ) - a module to create YARA rules from single hash attributes.
2018-02-12 21:13:32 +01:00
* [YARA syntax validator ](misp_modules/modules/expansion/yara_syntax_validator.py ) - YARA syntax validator.
2016-02-17 18:40:55 +01:00
2016-09-01 20:30:23 +02:00
### Export modules
2016-09-01 20:35:18 +02:00
* [CEF ](misp_modules/modules/export_mod/cef_export.py ) module to export Common Event Format (CEF).
2018-05-30 06:56:42 +02:00
* [GoAML export ](misp_modules/modules/export_mod/goamlexport.py ) module to export in [GoAML format ](http://goaml.unodc.org/goaml/en/index.html ).
2017-08-06 20:43:00 +02:00
* [Lite Export ](misp_modules/modules/export_mod/liteexport.py ) module to export a lite event.
2019-02-25 21:33:47 +01:00
* [PDF export ](misp_modules/modules/export_mod/pdfexport.py ) module to export an event in PDF.
2018-12-26 12:19:27 +01:00
* [Nexthink query format ](misp_modules/modules/export_mod/nexthinkexport.py ) module to export in Nexthink query format.
2018-12-26 12:22:23 +01:00
* [osquery ](misp_modules/modules/export_mod/osqueryexport.py ) module to export in [osquery ](https://osquery.io/ ) query format.
2017-08-06 20:43:00 +02:00
* [ThreatConnect ](misp_modules/modules/export_mod/threat_connect_export.py ) module to export in ThreatConnect CSV format.
2018-01-08 20:45:30 +01:00
* [ThreatStream ](misp_modules/modules/export_mod/threatStream_misp_export.py ) module to export in ThreatStream format.
2016-09-01 20:30:23 +02:00
2016-08-12 13:48:02 +02:00
### Import modules
2018-02-02 07:16:44 +01:00
* [CSV import ](misp_modules/modules/import_mod/csvimport.py ) Customizable CSV import module.
2017-01-07 10:45:22 +01:00
* [Cuckoo JSON ](misp_modules/modules/import_mod/cuckooimport.py ) Cuckoo JSON import.
2018-01-16 11:05:26 +01:00
* [Email Import ](misp_modules/modules/import_mod/email_import.py ) Email import module for MISP to import basic metadata.
2018-05-30 06:56:42 +02:00
* [GoAML import ](misp_modules/modules/import_mod/ ) Module to import [GoAML ](http://goaml.unodc.org/goaml/en/index.html ) XML format.
2016-08-12 13:48:02 +02:00
* [OCR ](misp_modules/modules/import_mod/ocr.py ) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
2017-02-27 14:10:11 +01:00
* [OpenIOC ](misp_modules/modules/import_mod/openiocimport.py ) OpenIOC import based on PyMISP library.
2018-01-16 11:05:26 +01:00
* [ThreatAnalyzer ](misp_modules/modules/import_mod/threatanalyzer_import.py ) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
2017-01-07 10:45:22 +01:00
* [VMRay ](misp_modules/modules/import_mod/vmray_import.py ) - An import module to process VMRay export.
2016-08-12 13:48:02 +02:00
2018-10-24 17:34:44 +02:00
## How to install and start MISP modules in a Python virtualenv?
~~~~bash
2019-03-01 12:13:27 +01:00
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick virtualenv
2018-10-24 17:34:44 +02:00
sudo -u www-data virtualenv -p python3 /var/www/MISP/venv
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
cd misp-modules
sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS
sudo -u www-data /var/www/MISP/venv/bin/pip install .
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log & \n' /etc/rc.local
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
~~~~
2019-02-15 10:16:52 +01:00
## How to install and start MISP modules on Debian-based distributions ?
2016-03-24 16:52:53 +01:00
~~~~bash
2018-10-24 17:34:44 +02:00
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick
2016-07-22 11:56:31 +02:00
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
2016-03-24 16:52:53 +01:00
cd misp-modules
2016-11-29 13:49:00 +01:00
sudo pip3 install -I -r REQUIREMENTS
sudo pip3 install -I .
2018-10-24 17:34:44 +02:00
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log & \n' /etc/rc.local
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
2016-03-24 16:52:53 +01:00
~~~~
2019-02-15 10:16:52 +01:00
## How to install and start MISP modules on RHEL-based distributions ?
As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL ](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe ) repository.
~~~~bash
yum install rh-ruby22
cd /var/www/MISP
git clone https://github.com/MISP/misp-modules.git
cd misp-modules
scl enable rh-python36 ‘ python3 – m pip install cryptography’
scl enable rh-python36 ‘ python3 – m pip install -I -r REQUIREMENTS’
scl enable rh-python36 ‘ python3 – m pip install – I .’
~~~~
Create the service file /etc/systemd/system/misp-workers.service :
~~~~
[Unit]
Description=MISP's modules
After=misp-workers.service
[Service]
Type=simple
User=apache
Group=apache
ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22 ‘ /opt/rh/rh-python36/root/bin/misp-modules – l 127.0.0.1 – s’
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
~~~~
The `After=misp-workers.service` must be changed or removed if you have not created a misp-workers service.
Then, enable the misp-modules service and start it ;
~~~~bash
systemctl daemon-reload
systemctl enable --now misp-modules
~~~~
2016-02-17 18:40:55 +01:00
## How to add your own MISP modules?
2016-10-22 23:13:20 +02:00
Create your module in [misp_modules/modules/expansion/ ](misp_modules/modules/expansion/ ), [misp_modules/modules/export_mod/ ](misp_modules/modules/export_mod/ ), or [misp_modules/modules/import_mod/ ](misp_modules/modules/import_mod/ ). The module should have at minimum three functions:
2016-02-17 18:40:55 +01:00
2016-03-09 07:49:46 +01:00
* **introspection** function that returns a dict of the supported attributes (input and output) by your expansion module.
2016-02-17 18:40:55 +01:00
* **handler** function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
2016-03-16 07:57:37 +01:00
* **version** function that returns a dict with the version and the associated meta-data including potential configurations required of the module.
2016-02-17 18:40:55 +01:00
2016-02-29 21:49:42 +01:00
Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.
2018-10-25 21:54:25 +02:00
Your module's script name should also be added in the `__all__` list of `<module type folder>/__init__.py` in order for it to be loaded.
2016-10-22 23:13:20 +02:00
~~~python
...
# Checking for required value
if not request.get('ip-src'):
# Return an error message
return {'error': "A source IP is required"}
...
~~~
### introspection
The function that returns a dict of the supported attributes (input and output) by your expansion module.
~~~python
mispattributes = {'input': ['link', 'url'],
'output': ['attachment', 'malware-sample']}
def introspection():
return mispattributes
~~~
### version
The function that returns a dict with the version and the associated meta-data including potential configurations required of the module.
2016-12-26 22:55:54 +01:00
### Additional Configuration Values
2016-10-22 23:13:20 +02:00
If your module requires additional configuration (to be exposed via the MISP user-interface), you can define those in the moduleconfig value returned by the version function.
~~~python
# config fields that your code expects from the site admin
moduleconfig = ["apikey", "event_limit"]
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo
~~~
2016-12-26 22:55:54 +01:00
2016-10-22 23:13:20 +02:00
When you do this a config array is added to the meta-data output containing all the potential configuration values:
2016-03-03 07:18:51 +01:00
2016-03-16 07:57:37 +01:00
~~~
"meta": {
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"config": [
"username",
"password"
],
2016-03-20 19:54:32 +01:00
"module-type": [
"expansion",
"hover"
],
2016-03-16 07:57:37 +01:00
...
~~~
2016-03-03 07:18:51 +01:00
2016-12-26 22:55:54 +01:00
If you want to use the configuration values set in the web interface they are stored in the key `config` in the JSON object passed to the handler.
~~~
def handler(q=False):
# Check if we were given a configuration
config = q.get("config", {})
# Find out if there is a username field
username = config.get("username", None)
~~~
2016-10-22 23:13:20 +02:00
### handler
The function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
~~~python
def handler(q=False):
"Fully functional rot-13 encoder"
if q is False:
return False
request = json.loads(q)
src = request.get('ip-src')
if src is None:
# Return an error message
return {'error': "A source IP is required"}
else:
return {'results':
codecs.encode(src, "rot-13")}
~~~
2018-10-25 21:54:25 +02:00
#### export module
For an export module, the `request["data"]` object corresponds to a list of events (dictionaries) to handle.
Iterating over events attributes is performed using their `Attribute` key.
~~~python
...
for event in request["data"]:
for attribute in event["Attribute"]:
# do stuff w/ attribute['type'], attribute['value'], ...
...
2016-12-26 22:55:54 +01:00
### Returning Binary Data
If you want to return a file or other data you need to add a data attribute.
~~~python
{"results": {"values": "filename.txt",
"types": "attachment",
"data" : base64.b64encode(< ByteIO > ) # base64 encode your data first
"comment": "This is an attachment"}}
~~~
If the binary file is malware you can use 'malware-sample' as the type. If you do this the malware sample will be automatically zipped and password protected ('infected') after being uploaded.
~~~python
{"results": {"values": "filename.txt",
"types": "malware-sample",
"data" : base64.b64encode(< ByteIO > ) # base64 encode your data first
"comment": "This is an attachment"}}
~~~
2016-12-26 23:09:21 +01:00
[To learn more about how data attributes are processed you can read the processing code here. ](https://github.com/MISP/PyMISP/blob/4f230c9299ad9d2d1c851148c629b61a94f3f117/pymisp/mispevent.py#L185-L200 )
2016-12-26 22:55:54 +01:00
2016-10-22 23:13:20 +02:00
2016-03-20 19:54:32 +01:00
### Module type
2016-12-26 23:17:20 +01:00
A MISP module can be of four types:
2016-03-20 19:54:32 +01:00
- **expansion** - service related to an attribute that can be used to extend and update an existing event.
- **hover** - service related to an attribute to provide additional information to the users without updating the event.
2016-10-22 23:13:20 +02:00
- **import** - service related to importing and parsing an external object that can be used to extend an existing event.
2016-12-26 23:17:20 +01:00
- **export** - service related to exporting an object, event, or data.
2016-03-20 19:54:32 +01:00
module-type is an array where the list of supported types can be added.
2016-02-17 18:40:55 +01:00
## Testing your modules?
MISP uses the **modules** function to discover the available MISP modules and their supported MISP attributes:
~~~
% curl -s http://127.0.0.1:6666/modules | jq .
[
{
2016-03-16 07:57:37 +01:00
"name": "passivetotal",
"type": "expansion",
2016-02-24 00:55:14 +01:00
"mispattributes": {
2016-03-09 07:25:54 +01:00
"input": [
"hostname",
"domain",
2016-02-24 00:55:14 +01:00
"ip-src",
2016-03-16 07:57:37 +01:00
"ip-dst"
2016-02-24 00:55:14 +01:00
],
2016-03-09 07:25:54 +01:00
"output": [
"ip-src",
"ip-dst",
"hostname",
"domain"
]
},
2016-03-09 08:59:12 +01:00
"meta": {
2016-03-16 07:57:37 +01:00
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"config": [
"username",
"password"
],
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
},
{
"name": "sourcecache",
"type": "expansion",
"mispattributes": {
"input": [
"link"
],
"output": [
"link"
]
2016-03-09 08:59:12 +01:00
},
2016-03-16 07:57:37 +01:00
"meta": {
"description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.",
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
2016-03-09 07:25:54 +01:00
},
{
2016-03-16 07:57:37 +01:00
"name": "dns",
"type": "expansion",
2016-03-09 07:25:54 +01:00
"mispattributes": {
2016-02-24 00:55:14 +01:00
"input": [
"hostname",
"domain"
2016-03-09 07:25:54 +01:00
],
"output": [
"ip-src",
"ip-dst"
2016-02-24 00:55:14 +01:00
]
},
2016-03-09 07:25:54 +01:00
"meta": {
2016-03-16 07:57:37 +01:00
"description": "Simple DNS expansion service to resolve IP address from MISP attributes",
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
2016-02-17 18:40:55 +01:00
}
]
2016-03-16 07:57:37 +01:00
2016-02-17 18:40:55 +01:00
~~~
The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes.
Based on this information, a query can be built in a JSON format and saved as body.json:
2016-03-16 07:57:37 +01:00
~~~json
{
"hostname": "www.foo.be",
"module": "dns"
}
~~~
Then you can POST this JSON format query towards the MISP object server:
2016-10-22 23:13:20 +02:00
~~~bash
2016-03-16 07:57:37 +01:00
curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body .json -X POST
~~~
The module should output the following JSON:
2016-02-17 18:40:55 +01:00
~~~json
2016-02-24 00:23:26 +01:00
{
"results": [
{
"types": [
"ip-src",
"ip-dst"
],
"values": [
"188.65.217.78"
]
}
]
}
2016-02-17 18:40:55 +01:00
~~~
2016-07-26 12:13:49 +02:00
It is also possible to restrict the category options of the resolved attributes by passing a list of categories along (optional):
~~~json
{
"results": [
{
"types": [
"ip-src",
"ip-dst"
],
"values": [
"188.65.217.78"
],
"categories": [
"Network activity",
"Payload delivery"
]
}
]
}
~~~
For both the type and the category lists, the first item in the list will be the default setting on the interface.
2016-10-22 23:13:20 +02:00
### Enable your module in the web interface
For a module to be activated in the MISP web interface it must be enabled in the "Plugin Settings.
Go to "Administration > Server Settings" in the top menu
- Go to "Plugin Settings" in the top "tab menu bar"
- Click on the name of the type of module you have created to expand the list of plugins to show your module.
- Find the name of your plugin's "enabled" value in the Setting Column.
"Plugin.[MODULE NAME]_enabled"
- Double click on its "Value" column
~~~
Priority Setting Value Description Error Message
Recommended Plugin.Import_ocr_enabled false Enable or disable the ocr module. Value not set.
~~~
- Use the drop-down to set the enabled value to 'true'
~~~
Priority Setting Value Description Error Message
Recommended Plugin.Import_ocr_enabled true Enable or disable the ocr module. Value not set.
~~~
### Set any other required settings for your module
In this same menu set any other plugin settings that are required for testing.
2017-02-24 15:09:18 +01:00
## Install misp-module on an offline instance.
2018-07-02 11:38:33 +02:00
First, you need to grab all necessary packages for example like this :
2017-02-24 15:09:18 +01:00
Use pip wheel to create an archive
~~~
mkdir misp-modules-offline
pip3 wheel -r REQUIREMENTS shodan --wheel-dir=./misp-modules-offline
tar -cjvf misp-module-bundeled.tar.bz2 ./misp-modules-offline/*
~~~
2018-03-06 16:17:22 +01:00
On offline machine :
2017-02-24 15:09:18 +01:00
~~~
mkdir misp-modules-bundle
tar xvf misp-module-bundeled.tar.bz2 -C misp-modules-bundle
cd misp-modules-bundle
ls -1|while read line; do sudo pip3 install --force-reinstall --ignore-installed --upgrade --no-index --no-deps ${line};done
~~~
Next you can follow standard install procedure.
2016-10-22 23:13:20 +02:00
2016-03-09 07:49:46 +01:00
## How to contribute your own module?
Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.
2016-10-22 23:13:20 +02:00
## Tips for developers creating modules
Download a pre-built virtual image from the [MISP training materials ](https://www.circl.lu/services/misp-training-materials/ ).
- Create a Host-Only adapter in VirtualBox
2016-12-26 23:09:21 +01:00
- Set your Misp OVA to that Host-Only adapter
2016-10-22 23:13:20 +02:00
- Start the virtual machine
2016-12-26 23:09:21 +01:00
- Get the IP address of the virutal machine
- SSH into the machine (Login info on training page)
2016-10-22 23:13:20 +02:00
- Go into the misp-modules directory
~~~bash
cd /usr/local/src/misp-modules
~~~
Set the git repo to your fork and checkout your development branch. If you SSH'ed in as the misp user you will have to use sudo.
~~~bash
sudo git remote set-url origin https://github.com/YourRepo/misp-modules.git
sudo git pull
sudo git checkout MyModBranch
~~~
Remove the contents of the build directory and re-install misp-modules.
~~~python
sudo rm -fr build/*
sudo pip3 install --upgrade .
~~~
SSH in with a different terminal and run `misp-modules` with debugging enabled.
~~~python
2016-12-26 23:33:10 +01:00
sudo killall misp-modules
2016-10-22 23:13:20 +02:00
misp-modules -d
~~~
In your original terminal you can now run your tests manually and see any errors that arrive
~~~bash
cd tests/
curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @MY_TEST_FILE .json -X POST
cd ../
~~~
2018-03-06 16:17:22 +01:00
## Documentation
In order to provide documentation about some modules that require specific input / output / configuration, the [doc ](doc ) directory contains detailed information about the general purpose, requirements, features, input and ouput of each of these modules:
- ***description** - quick description of the general purpose of the module, as the one given by the moduleinfo
- **requirements** - special libraries needed to make the module work
- **features** - description of the way to use the module, with the required MISP features to make the module give the intended result
- **references** - link(s) giving additional information about the format concerned in the module
- **input** - description of the format of data used in input
- **output** - description of the format given as the result of the module execution